build(deps): bump the npm_and_yarn group across 1 directory with 13 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
micromatch	4.0.5	4.0.8
semver	5.7.1	5.7.2
semver	6.3.0	6.3.1
npm	9.7.1	9.9.4
js-yaml	4.1.0	4.1.1
@octokit/plugin-paginate-rest	7.1.2	9.2.2
cross-spawn	7.0.3	7.0.6
diff	5.1.0	5.2.2
lodash	4.17.21	4.17.23
tar-fs	2.0.1	2.1.4

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates semver from 5.7.1 to 5.7.2

Release notes

Sourced from semver's releases.

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

Changelog

Sourced from semver's changelog.

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

• Add version coercion capabilities

5.4

• Add intersection checking

5.3

• Add minSatisfying method

5.2

• Add prerelease(v) that returns prerelease components

5.1

• Add Backus-Naur for ranges
• Remove excessively cute inspection methods

5.0

• Remove AMD/Browserified build artifacts
• Fix ltr and gtr when using the * range
• Fix for range * with a prerelease identifier

Commits

• f8cc313 chore: release 5.7.2
• 2f8fd41 fix: better handling of whitespace (#585)
• deb5ad5 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates semver from 6.3.0 to 6.3.1

Release notes

Sourced from semver's releases.

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

Changelog

Sourced from semver's changelog.

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

• Add version coercion capabilities

5.4

• Add intersection checking

5.3

• Add minSatisfying method

5.2

• Add prerelease(v) that returns prerelease components

5.1

• Add Backus-Naur for ranges
• Remove excessively cute inspection methods

5.0

• Remove AMD/Browserified build artifacts
• Fix ltr and gtr when using the * range
• Fix for range * with a prerelease identifier

Commits

• f8cc313 chore: release 5.7.2
• 2f8fd41 fix: better handling of whitespace (#585)
• deb5ad5 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates npm from 9.7.1 to 9.9.4

Changelog

Sourced from npm's changelog.

9.9.4 (2024-11-21)

Dependencies

• 080e201 #7930 hosted-git-info@6.1.3 (#7930)
• 401bb86 #7928 tar@6.2.1
• cfb3b77 #7928 cross-spawn@7.0.6
• 6a5f8a8 #7928 debug@4.3.7
• 72df313 #7928 hosted-git-info@6.1.2

9.9.3 (2024-02-26)

Bug Fixes

• 88ea8c7 #7010 set objectMode for search filter stream (@​lukekarrys)
• 8d9d735 #7010 unpublish: bubble up all errors parsing local package.json (#7049) (@​wraithgar)
• e0e75e5 #7010 unpublish bugfixes (#7039) (@​wraithgar)
• 4d59ce1 #7047 reverse direction of SPDX SBOM dep rels (#7047) (@​bdehamer, @​antonbauhofer)
• 878f22b #7008 properly catch missing url opener error (@​wraithgar)
• 91a8eca #7008 properly catch missing url opener error on interactive prompt (@​wraithgar)

Dependencies

• 1968e0e #7010 spdx-license-ids@3.0.17
• d130576 #7010 spdx-exceptions@2.5.0
• 00f28b8 #7010 signal-exit@4.1.0
• 57096c3 #7010 postcss-selector-parser@6.0.15
• 3ce677e #7010 minipass-fetch@3.0.4
• 89757ed #7010 is-core-module@2.13.1
• bc1e841 #7010 socks@2.8.1
• 01f4049 #7010 ignore-walk@6.0.4
• 15f8982 #7010 function-bind@1.1.2
• 88ff949 #7010 cmd-shim@6.0.2
• 3e298f6 #7010 bin-links@4.0.3
• 35a6286 #7010 are-we-there-yet@4.0.2
• aeb28c4 #7010 agentkeepalive@4.5.0
• edc7e23 #7010 @npmcli/query@3.1.0
• 00a3a08 #7010 tar@6.2.0
• 7f424c3 #7010 ssri@10.0.5
• 79b8538 #7010 semver@7.6.0
• b5faf10 #7010 npm-install-checks@6.3.0
• 2c62266 #7010 node-gyp@9.4.1
• cc0516b #7010 minipass@7.0.4
• 651d362 #7010 json-parse-even-better-errors@3.0.1
• 4b239c6 #7010 glob@10.3.10
• 2f65b46 #7010 fs-minipass@3.0.3
• 6c73ddf #7010 diff@5.2.0
• 73ee6cc #7010 ci-info@4.0.0
• 64715a4 #7010 cacache@17.1.4
• workspace: @npmcli/arborist@6.5.1

... (truncated)

Commits

• 64763a3 chore: release 9.9.4
• 080e201 deps: hosted-git-info@6.1.3 (#7930)
• 401bb86 deps: tar@6.2.1
• cfb3b77 deps: cross-spawn@7.0.6
• 6a5f8a8 deps: debug@4.3.7
• 72df313 deps: hosted-git-info@6.1.2
• 4998adf chore: release 9.9.3
• 77fa150 chore(release): do not exclude docs directory from CLI release commits (#7162)
• 1d4c464 chore: @​npmcli/template-oss@​4.21.3
• 88ea8c7 fix: set objectMode for search filter stream
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates @octokit/plugin-paginate-rest from 7.1.2 to 9.2.2

Release notes

Sourced from @​octokit/plugin-paginate-rest's releases.

v9.2.2

9.2.2 (2025-02-15)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (#660) (e1e4489)

v9.2.1

9.2.1 (2024-03-01)

Bug Fixes

• pkg: pin @octokit/core peerDependency to v5 (#599) (5b84386)

v9.2.0

9.2.0 (2024-02-22)

Features

• new /orgs/{org}/organization-roles/{role_id}/teams and /orgs/{org}/organization-roles/{role_id}/users endpoints (#594) (75aeaaf)

v9.1.5

9.1.5 (2023-12-04)

Bug Fixes

• bump octokit/types minor version (#581) (65baec4)

v9.1.4

9.1.4 (2023-11-12)

Bug Fixes

• deps: bump @octokit/types (#575) (27db9ae)

v9.1.3

9.1.3 (2023-11-09)

Bug Fixes

• deps: bump @octokit/types (#574) (0940cb7)

v9.1.2

9.1.2 (2023-10-26)

... (truncated)

Commits

• e1e4489 fix: ReDos regex vulnerability, reported by @​DayShift (#660)
• 5b84386 fix(pkg): pin @octokit/core peerDependency to v5 (#599)
• fa01f94 ci(action): update actions/add-to-project action to v0.6.0 (#598)
• 75aeaaf feat: new /orgs/{org}/organization-roles/{role_id}/teams and `/orgs/{org}/o...
• 54d6bcf chore(deps): update dependency prettier to v3.2.5
• 1bfa2f8 chore(deps): update dependency npm-run-all2 to v6
• eb4a8fe chore(deps): replace dependency npm-run-all with npm-run-all2 ^5.0.0
• 11ef779 chore(deps): update dependency esbuild to ^0.20.0
• 2b6cc98 ci(action): update peter-evans/create-or-update-comment action to v4
• d7c9de5 chore(deps): update dependency prettier to v3.2.4 (#588)
• Additional commits viewable in compare view

Updates @octokit/request-error from 3.0.3 to 5.1.1

Release notes

Sourced from @​octokit/request-error's releases.

v5.1.1

5.1.1 (2025-02-14)

Bug Fixes

• ReDos regex vulnerability, reported by @​dayshift (12a14f0)

v5.1.0

5.1.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types to v13 (3af20bd)

Features

• security: Add provenance (#416) (94147e8)

v5.0.1

5.0.1 (2023-09-23)

Bug Fixes

• deps: update dependency @​octokit/types to v12 (#366) (590fc39)

v5.0.0

5.0.0 (2023-07-07)

Bug Fixes

• deps: update dependency @​octokit/types to v11 (#348) (372097e)

BREAKING CHANGES

• deps: upgrade @octokit/types to v11

v4.0.2

4.0.2 (2023-06-16)

Bug Fixes

• deps: update dependency @​octokit/types to v10 (#343) (28b1958)

... (truncated)

Commits

• b51ed27 test: ReDos regex vulnerability, reported by @​dayshift
• 12a14f0 fix: ReDos regex vulnerability, reported by @​dayshift
• 3af20bd fix: upgrade @octokit/types to v13
• 94147e8 feat(security): Add provenance (#416)
• 590fc39 fix(deps): update dependency @​octokit/types to v12 (#366)
• 4b9c57e ci(action): update peter-evans/create-or-update-comment digest to 46da6c0
• 710afc3 ci(action): update peter-evans/create-or-update-comment digest to 1f6c514
• c82c8ce ci(action): update peter-evans/create-or-update-comment digest to 223779b
• ec24ead ci(action): update peter-evans/create-or-update-comment digest to 46846e5 (#362)
• 365f18d ci(action): update actions/checkout action to v4
• Additional commits viewable in compare view

Updates @octokit/request from 6.2.8 to 8.4.1

Release notes

Sourced from @​octokit/request's releases.

v8.4.1

8.4.1 (2025-02-15)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (#741) (356411e)

v8.4.0

8.4.0 (2024-04-09)

Features

• re-add redirect request option (#636) (abc4955), closes #599

v8.3.1

8.3.1 (2024-04-05)

Bug Fixes

• upgrade @octokit/endpoint (4e7127c)

v8.3.0

8.3.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types (6822e8b)

Features

• security: Add provenance (#685) (2e67925)

v8.2.0

8.2.0 (2024-02-09)

Features

• add documentation link in error message (#667) (dbfeab2)

v8.1.6

8.1.6 (2023-11-22)

Bug Fixes

... (truncated)

Commits

• 356411e fix: ReDos regex vulnerability, reported by @​DayShift (#741)
• abc4955 feat: re-add redirect request option (#636)
• 4e7127c fix: upgrade @octokit/endpoint
• 2e67925 feat(security): Add provenance (#685)
• 6822e8b fix: upgrade @octokit/types
• dbfeab2 feat: add documentation link in error message (#667)
• c013de4 docs: fix spelling errors (#671)
• 3d22c38 chore(deps): update dependency prettier to v3.2.5
• 984ec17 chore(deps): update dependency esbuild to ^0.20.0
• 2a9cf78 ci(action): update peter-evans/create-or-update-comment action to v4
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates diff from 5.1.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

v5.2.0

Commits

• #411 Big performance improvement. Previously an O(n) array-copying operation inside the innermost loop of jsdiff's base diffing code increased the overall worst-case time complexity of computing a diff from O(n²) to O(n³). This is now fixed, bringing the worst-case time complexity down to what it theoretically should be for a Myers diff implementation.
• #448 Performance improvement. Diagonals whose furthest-reaching D-path would go off the edge of the edit graph are now skipped, rather than being pointlessly considered as called for by the original Myers diff algorithm. This dramatically speeds up computing diffs where the new text just appends or truncates content at the end of the old text.
• #351 Importing from the lib folder - e.g. require("diff/lib/diff/word.js") - will work again now. This had been broken for users on the latest version of Node since Node 17.5.0, which changed how Node interprets the exports property in jsdiff's package.json file.
• #344 diffLines, createTwoFilesPatch, and other patch-creation methods now take an optional stripTrailingCr: true option which causes Windows-style \r\n line endings to be replaced with Unix-style \n line endings before calculating the diff, just like GNU diff's --strip-trailing-cr flag.
• #451 Added diff.formatPatch.
• #450 Added diff.reversePatch.
• #478 Added timeout option.

Commits

• b7b6339 v5.2.2
• b5377ab Update package version to 5.2.1
• 7801789 Backport kpdecker/jsdiff#649
• 042a837 Backport kpdecker/jsdiff#647
• 370a9df 5.2.0 release (#483)
• a2f726a Add myself to the list of maintainers (#482)
• dfc6fe4 Add examples to docs of creating and applying patches (importantly including ...
• b5d1cfa Modify node_example.js to support showing added/deleted spaces (#479)
• 533893d Add timeout option (#478)
• 1f1ec96 Replace broken link to Myers's paper in the README with a working one (#476)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates npm from 9.7.1 to 9.9.4

Changelog

Sourced from npm's changelog.

9.9.4 (2024-11-21)

Dependencies

• 080e201 #7930 hosted-git-info@6.1.3 (#7930)
• 401bb86 #7928 tar@6.2.1
• cfb3b77 #7928 cross-spawn@7.0.6
• 6a5f8a8 #7928 debug@4.3.7
• 72df313 #7928 hosted-git-info@6.1.2

9.9.3 (2024-02-26)

Bug Fixes

• 88ea8c7 #7010 set objectMode for search filter stream (@​lukekarrys)
• 8d9d735 #7010 unpublish: bubble up all errors parsing local package.json (#7049) (@​wraithgar)
• e0e75e5 #7010 unpublish bugfixes (#7039) (@​wraithgar)
• 4d59ce1 #7047 reverse direction of SPDX SBOM dep rels (#7047) (@​bdehamer, @​antonbauhofer)
• 878f22b #7008 properly catch missing url opener error (@​wraithgar)
• 91a8eca #7008 properly catch missing url opener error on interactive prompt (@​wraithgar)

Dependencies

• 1968e0e #7010 spdx-license-ids@3.0.17
• d130576 #7010 spdx-exceptions@2.5.0
• 00f28b8 #7010 signal-exit@4.1.0
• 57096c3 #7010 postcss-selector-parser@6.0.15
• 3ce677e #7010 minipass-fetch@3.0.4
• 89757ed #7010 is-core-module@2.13.1
• bc1e841 #7010 socks@2.8.1
• 01f4049 #7010 ignore-walk@6.0.4
• 15f8982 #7010 function-bind@1.1.2
• 88ff949 #7010 cmd-shim@6.0.2
• 3e298f6 #7010 bin-links@4.0.3
• 35a6286 #7010 are-we-there-yet@4.0.2
• aeb28c4 #7010 agentkeepalive@4.5.0
• edc7e23 #7010 @npmcli/query@3.1.0
• 00a3a08 #7010 tar@6.2.0
• 7f424c3 #7010 ssri@10.0.5
• 79b8538 #7010 semver@7.6.0
• b5faf10 #7010 npm-install-checks@6.3.0
• 2c62266 #7010 node-gyp@9.4.1
• cc0516b #7010 minipass@7.0.4
• 651d362 #7010 json-parse-even-better-errors@3.0.1
• 4b239c6 #7010 glob@10.3.10
• 2f65b46 #7010 fs-minipass@3.0.3
• 6c73ddf #7010 diff@5.2.0
• 73ee6cc #7010 ci-info@4.0.0
• 64715a4 #7010 cacache@17.1.4
• workspace: @npmcli/arborist@6.5.1

... (truncated)

Commits

• 64763a3 chore: release 9.9.4
• 080e201 deps: hosted-git-info@6.1.3 (#7930)
• 401bb86 deps: tar@6.2.1
• cfb3b77 deps: cross-spawn@7.0.6
• 6a5f8a8 deps: debug@4.3.7
• 72df313 deps: hosted-git-info@6.1.2
• 4998adf chore: release 9.9.3
• 77fa150 chore(release): do not exclude docs directory from CLI release commits (#7162)
• 1d4c464 chore: @​npmcli/template-oss@​4.21.3
• 88ea8c7 fix: set objectMode for search filter stream
• Additional commits viewable in compare view

Updates `tar...

Description has been truncated